Skip to content

Environment variables

Manage configuration and secrets at the project or service level. Values are encrypted at rest.

Where vars come from

At runtime, Dockfly merges variables from three layers, in this order:

  1. Dockfly-injected PORT, DATABASE_URL, REDIS_URL, region info, and so on.
  2. Project-level — shared across every service in the project.
  3. Service-level — overrides for a single service. These win when there's a conflict.

Add a variable

From the dashboard, open the service's Variables tab and click Add variable. Or use the CLI:

bash
# Set one variable
$ dockfly env set STRIPE_API_KEY=sk_live_… --service api
✓ encrypted at rest

# Import from a .env file
$ dockfly env import .env --service api
✓ imported 18 variables

# List variables (values masked)
$ dockfly env list --service api
DATABASE_URL  ********  (auto-injected)
NODE_ENV      production
STRIPE_API_KEY ********
After a variable is created its value is never shown again, in the dashboard or the API. To rotate, set a new value — the old one is overwritten.

Secrets vs. config

Dockfly treats every variable as a secret. Values are encrypted at rest with envelope encryption (AES-256 + per-tenant data keys), never appear in build logs, and are scrubbed from any export.

Sealed import / export

For team rotation, use sealed exports. The CLI encrypts the bundle to a recipient's public key, which they decrypt locally:

bash
$ dockfly env export --service api --to [email protected] > vars.sealed
✓ sealed (1.2 KB) for [email protected]

# On teammate's machine
$ dockfly env import-sealed vars.sealed --service api
✓ imported 18 variables

Auto-injected variables

Some variables are added automatically — you can't override them. The most useful:

bash
PORT                # The port your service should bind to (set per-service)
DOCKFLY_REGION      # e.g. "sg1"
DOCKFLY_DEPLOY_ID   # the current deploy id
DOCKFLY_GIT_SHA     # commit sha of the running build

# When a database service is in the project:
DATABASE_URL        # postgres://… (or mysql://, mongodb://)
REDIS_URL           # redis://…

Per-environment overrides

If a service has preview deployments enabled, you can set variables that only apply to preview, staging, or production:

bash
$ dockfly env set STRIPE_API_KEY=sk_test_… --service api --env preview
$ dockfly env set STRIPE_API_KEY=sk_live_… --service api --env production
By default, preview environments inherit production secrets. Always scope payment keys, third-party API tokens, and other sensitive values to production only.

Previous

Custom domains